Video Screencast Help

Internal IPs exclusion for HTTP protocol

Created: 15 Dec 2011 • Updated: 14 Jan 2012 | 11 comments
This issue has been solved. See solution.

Hi,

Can any one help me to exclude internal IPS (Destination internal IPS) for http protocol,because it genarate false positive incidents.

DLP version : 11.1.1000.10054

Because internal http have ip rang of 10, thats why i write  -,10.0.0.0/8,10.0.0.0/8;+,*,* is it write? ya any else?

 

Pravin Loks

Comments 11 CommentsJump to latest comment

Thomas K's picture

Hello, Please see this thread for a possible solution - https://www-secure.symantec.com/connect/forums/nee...

I hope this is helpful.

Best,

Thomas

AlbertL's picture

Hi Thomas,

 

Thanks for your reply, but still we are facing the same problem i.e getting the incident generated. 

Please guide me on the same for FTP,HTTP to exclude the all 10 series IP network as a destination IP and source is any.

We have already written in System-->Protocol tab ( -,10.0.0.0/8,*;+,*,* ) for exclusion with defined FTP port as 21 and port 80 for HTTP we are still getting the incident generated with same port.

NOTE: I am using endpoint for FTP and HTTP traffic.

Thanks & regards

Pravin

Albert L

Keith Reynolds - ExchangeTek's picture

Well, if you're using Endpoint for those, then modifying the Protocols in the System-->Protocol page won't affect that at all.  These protocol definitions are specific to Network Montior.  You would need to add IP filters to the Agent Configuration instead.

~Keith

SOLUTION
yang_zhang's picture

As you are using endpoint for FTP and HTTP traffic, you need to change the Agent Configuration.

Log into Enforce Console, choose 'System' --> 'Agents' --> 'Agent Configuration', in the list, choose the configuration used by your endpoint. On the 'Filter by Network Properties' section, fill the IP filter:

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
AlbertL's picture

Hi,

Thanks kreynolds and yang_zhang,

I apply solution given by you, it work fine for HTTP and FTP but still incidents are generated for HTTPS protocol in 10 series IP range even if I check mark HTTPS protocol for IE and Firefox in agent monitoring.

Please advise me.

Thanks

Pravin

Albert L

sacrificeme's picture

You may use L7 layer filter, and exlude from here some external IPs.

e.g. -84.52.94.43;-94.42.23.4;

AlbertL's picture

Hi,

Thanks kreynolds and yang_zhang,

I apply solution given by you, it work fine for HTTP and FTP but still incidents are generated for HTTPS protocol in 10 series IP range even if I check mark HTTPS protocol for IE and Firefox in agent monitoring.

Please advise me.

Thanks

Pravin

Albert L

Keith Reynolds - ExchangeTek's picture

That's odd...could be a bug in there considering it's working for the other protocols.  I'm not aware of anything specific to HTTPS on the Endpoint IP filters that would require configuration somewhere else.

You could try putting the IP into an exclusion on the policies and see if that works (might be an immediate workaround if it is a bug).  It will be a little more to manage from a policy administration standpoint, but should work.

Apart from that, I'd consider opening a case with Support and see what they say about it.  If I get a chance, I'll see if I can reproduce the same on a test system.  What version of DLP are you running (server version and agent version)?

 

~Keith

AlbertL's picture

Hi,

 

server version:11.1.1000.10054  

agent version:11.1.1000.10054

Albert L

AlbertL's picture

Hi Keith/All,

 

I observed the incidents for both protocols (HTTP and HTTPS) on endpoint and found that Destination IP field for HTTPS is not present in Incident Details page and present for HTTP and FTP also.

If logic is design in such a way that it should take a decision on Destination IP field.

Please help me for resolve this issue.

 

Loks

Albert L

prakash.soni24@gmail.com's picture

you can use filtering of any kind like filtering domain, email address or IP address, recipient address, sender address

Location where :- Edit Policy >  here inside the policy you will find three tabs

Detection,Group, Response

you can go to Group tab and can filter anything which i have mentioned above.